Friday, March 13, 2009

XP SP3 and Server 2003 SP2 may need repatching

If you installed XP Service Pack 3 or Windows Server SP2 after September 2008, you need to reapply an important security update.

In addition, if Windows Update offers your XP or Server 2003 system Microsoft's security bulletin MS08-067 patch, you should install it — even if you've previously done so. You may be wondering why my lead topic today is MS08-067, a patch from 2008. Well, I'm wondering, too.

You may find this week that your Windows XP SP3 and Windows 2003 SP2 machines are offered MS08-067 (954593). If so, you probably installed SP3 on XP or SP2 on Windows 2003 some time after September 2008.

People who installed MS08-067 when it first came out last summer — and then installed either the XP SP3 or 2003 SP2 service pack — may not know that systems were reverted back to a vulnerable version of gdiplus.dll. Service packs aren't supposed to do that. They're supposed to be smart enough to retain the patched versions of all system files.

Last month, however, I found that some XP machines I'd updated to SP3 post-September had the pre-update version of gdiplus.dll. On three of the systems, my third-party patching tool from Shavlik flagged this file as out-of-date. It offered the patch to me when I performed a manual scan.

I thought it odd at the time, but I believed that the problem was with Shavlik's tool, not Microsoft's. When I reviewed the patch information on Shavlik's forum, though, I found a forum post from last November by a commenter named Fordhami indicating that Microsoft knew of this issue back then. Interestingly, I'd installed XP SP2 on several XP SP3 workstations and then reinstalled XP SP3, only to find that the machines were properly patched. I searched for gdiplus.dll on those systems and found three files in locations similar to the following path:

C:\Windows \ WinSxS \ x86_Microsoft.Windows.GdiPlus_hashnumber

The version of all three files was 5.1.3102.5581. This indicated that the machine was patched. You may want to search for that file and see what version you have. Don't worry about any gdiplus.dll files located elsewhere on your system. The important one is found in the WinSxS folder.

This isn't the first patch-detection problem for XP SP3. Given the number of months since the update's initial release, it's disturbing that the problem is just now coming to light. People still ask me whether it's OK to install SP3 on XP systems. When it comes to any service pack, I always caution you to be prepared by creating a complete backup before installing it.